Setting up Tailscale on AWS EC2

Tailscale can connect both your physical machines and your cloud virtual machines. Here's how you can configure Tailscale to run in Amazon Web Services (AWS) virtual machines.

You will need:

  • Access to an AWS console (with permission to create/launch VPCs and EC2 instances).

  • At least one Windows, Linux, macOS, or iOS device with which to connect to the new AWS instance.

Create an Amazon VPC With Two Ubuntu Servers

The goal of this section is to launch a simple AWS network within a Virtual Private Cloud (VPC) and configure an instance on a private subnet that we’ll later access using Tailscale.

  1. Create a VPC with public and private subnets ( and, respectively), being sure to use a NAT Instance (instead of a NAT Gateway). This is most easily done through the "VPC Wizard", option #2.

  2. Modify the NAT instance's security group to allow Inbound HTTPS traffic from the private subnet. (In other words, outgoing HTTPS traffic from the subnet to the Tailscale coordination server, which is on the public Internet.) This is required for tailscale-login to work. See Table 1 for details.

    Ports Protocol Source
    443 TCP
    0-65535 UDP
    Table 1: NAT Instance Security Group (Inbound) Additions

  3. Modify the NAT instance's security group to allow for all Inbound UDP traffic from the private subnet. This is required to allow relaynode to make outgoing connections to the coordination server. (Note: "inbound" traffic, counterintuitively, refers to traffic originating from the private subnet, NATted, and headed toward the external Internet. We are not actually opening inbound ports on the NAT firewall.). See Table 1 for details.

  4. Launch an Ubuntu instance on the private subnet.

  5. Launch an Ubuntu instance on the public subnet.

  6. SSH to the public instance and, from there, to the private instance. Install Tailscale using the instructions below:

  7. Configure subnet routes to allow full access to all of the devices on both subnets through the Tailscale agent. For the NAT Instance described above, use --routes=, to permit access to both subnets.

Congratulations! You’re done.

Last updated